6 Replies Latest reply on Jul 9, 2013 6:55 AM by noor

    VPN over GRE (not GRE over VPN)

    paul_k New Member

      Netvanta 3430 - Enhanced at all locations

       

      Layout:

      central location - we'll call it #1  172.16.1

      remote location - #2 172.16.2

      remote location - #3 172.16.3

       

      I can setup a VPN link (using the GUI) between location #1 and #2

      When setting up the VPN between locations #1 and #3 - the connection fails with various errors:

      CRYPTO_IKE.NEGOTIATION IkePrepIsakmpKeyMat: IkeGetPreSharedKey failed

      CRYPTO_IKE.NEGOTIATION IkeMMConstructIDMsg: IkePrepareIsakmpKeyMat failed

      CRYPTO_IKE.NEGOTIATION IkeKEWaitProcess: IkeMMConstructIDMsg failed

      CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeKEWaitProcess failed

       

      I have tried changing the various options - but to no avail...

       

      I am hoping that I can establish a GRE tunnel to this site - ( I will test this onsite later this week)

       

      So now the question is how can I establish a "VPN" from Site #1 to #3 - and have the traffic route correctly.

       

      I have tested a GRE tunnel (from #1 to my house) and can get it established - with a separate IP address subnet on the GRE tunnel - and can ping the two sides of the tunnel, but I cannot route traffic across the GRE  between the private LANs; I am assuming this is some sort of firewall issue - if this could work this would be fine (I understand the lack of security issue)...

       

      But ideally having a secure connection would be best - so assuming that GRE can be established, can I create a VPN over the GRE and have it behave just like the already established VPN?

       

      Or is there another way to solve this problem?

       

       

      Paul

        • Re: VPN over GRE (not GRE over VPN)
          petersjncv Visitor

          Did you put an access policy on your GRE interface permitting traffic through the firewall?  Once FW is enabled on an AOS device, it applies across all interfaces.  You need separate policies to make sure your traffic gets through the interfaces. 

          Are your routers all running the same version of firmware?

          Can you attach a sample of your config?

            • Re: VPN over GRE (not GRE over VPN)
              paul_k New Member

              Thanks for the reply

               

              Unfortunately I a GUI handicapped - so I do need help putting down the access policy for the GRE interface since this isn't easily implemented through the GUI. 

               

              Here is the config as requested (Homebase - central location):

               

              ! ADTRAN, Inc. OS version R10.6.0.E

              ! Boot ROM version 17.06.01.00

              ! Platform: NetVanta 3430, part number 1202820G1

              !

              !

              hostname "Homebase"

              enable password Password

              !

              clock timezone -5-Eastern-Time

              !

              ip subnet-zero

              ip classless

              ip routing

              ipv6 unicast-routing

              !

              !

              domain-name "Homebase.contoso.com"

              domain-proxy

              name-server 75.75.75.75 75.75.76.76

              !

              !

              no auto-config

              !

              event-history on

              no logging forwarding

              logging forwarding priority-level info

              no logging email

              !

              no service password-encryption

              !

              username "admin" password "Password"

              !

              banner motd #

               

               

                              ****** Important Banner Message ******

               

               

              Enable and Telnet passwords are configured to "password".

              HTTP and HTTPS default username is "admin" and password is "password".

              Please change them immediately.

              The ethernet 0/1 interface is enabled with an address of 10.10.10.1

              Telnet, HTTP, and HTTPS access are also enabled.

              To remove this message, while in configuration mode type "no banner motd".

               

               

                              ****** Important Banner Message ******

               

               

              #

              !

              ip firewall

              no ip firewall alg msn

              no ip firewall alg mszone

              no ip firewall alg h323

               

               

              !

              no dot11ap access-point-control

              !

              ip crypto

              !

              crypto ike policy 101

                initiate main

                respond anymode

                local-id address 1.2.3.177

                peer 2.3.4.106

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

              !

              crypto ike remote-id address 2.3.4.106 preshared-key keyonetwothree ike-policy 101 crypto map VPN 20 no-mode-config no-xauth

              !

              crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              crypto map VPN 20 ipsec-ike

                description Eastside

                match address VPN-20-vpn-selectors

                set peer 2.3.4.106

                set transform-set esp-3des-esp-md5-hmac

                reverse-route

                ike-policy 101

              !

              no ethernet cfm

              !

              interface eth 0/1

                description Inside

                ip address  172.16.1.254  255.255.255.0

                ip access-policy Private

                no shutdown

              !

              !

              interface eth 0/2

                description Internet

                ip address  1.2.3.177  255.255.255.252

                ip mtu 1500

                ip access-policy Public

                crypto map VPN

                no rtp quality-monitoring

                no shutdown

              !

              interface tunnel 1 gre ip

                description HFTunnel

                ip address  172.16.0.1  255.255.255.252

                ip mtu 1400

                ip access-policy Private

                tunnel source 1.2.3.177

                tunnel destination 3.6.9.165

                tunnel key 12345678

                keepalive

                no shutdown

              !

              ip access-list standard wizard-ics

                remark Internet Connection Sharing

                permit any

              !

              ip access-list extended self

                remark Traffic to NetVanta

                permit ip any  any     log

              !

              ip access-list extended VPN-20-vpn-selectors

                permit ip 172.16.1.0 0.0.0.255  172.16.2.0 0.0.0.255

              !

              ip access-list extended web-acl-10

                remark RDP33891

                permit tcp any  host 172.16.1.254 eq 33891   log

              !

              ip access-list extended web-acl-11

                remark RDP33892

                permit tcp any  host 1.2.3.177 eq 33892   log

              !

              ip access-list extended web-acl-13

                remark PPTPVPN

                permit gre any  host 1.2.3.177     log

                permit tcp any  host 1.2.3.177 eq 1723   log

              !

              ip access-list extended web-acl-7

                remark RDP33894

                permit tcp any  host 1.2.3.177 eq 33894   log

              !

              ip access-list extended web-acl-8

                remark RDP33893

                permit tcp any  host 1.2.3.177 eq 33893   log

              !

              ip access-list extended wizard-remote-access

                remark do not hand edit this ACL

                permit icmp any  any  echo   log

                permit tcp any  any eq https   log

              !

              ip policy-class Private

                allow list VPN-20-vpn-selectors stateless

                allow list self self

                nat source list wizard-ics interface eth 0/2 overload

              !

              ip policy-class Public

                allow reverse list VPN-20-vpn-selectors stateless

                allow list wizard-remote-access self

                nat destination list web-acl-7 address 172.16.1.4 port 3389

                nat destination list web-acl-8 address 172.16.1.3 port 3389

                nat destination list web-acl-10 address 172.16.1.1 port 3389

                nat destination list web-acl-11 address 172.16.1.2 port 3389

                nat destination list web-acl-13 address 172.16.1.4

              !

              ip route 0.0.0.0 0.0.0.0 1.2.3.178

              ip route 172.16.3.0 255.255.255.0 172.16.1.30

              ip route 172.16.4.0 255.255.255.0 172.16.0.2

              !

              no tftp server

              no tftp server overwrite

              http server

              http secure-server

              no snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              ip sip udp 5060

              ip sip tcp 5060

              !

              line con 0

                login

                password Password

              !

              line telnet 0 4

                login

                password Password

                no shutdown

              line ssh 0 4

                login local-userlist

                no shutdown

              !

              sntp server us.pool.ntp.org version 3

              !

              ntp source ethernet 0/2

              !

              end

               

              Again what I need to do is get subnets 172.16.1.x connected/routing to 172.16.3.x (172.16.2.x works via the VPN put in place by the wizard).

               

              Thanks,

               

              Paul

                • Re: VPN over GRE (not GRE over VPN)
                  petersjncv Visitor

                  Apologies for a slow response to your reply.

                   

                  If I understand correctly... 

                   

                  IPSec VPN is up - Site 1 to Site 2.

                  IPSec VPN will not work - Site 1 to Site 3

                   

                  As an alternative, you wish to use a GRE tunnel - Site 1 to Site 3. 

                   

                  Your GRE tunnel config looks correct and since you are anchoring to your WAN port, which is firewalled, you may need to allow GRE through the public access policy.  You have the ACL for that but I see that it is applied as a NAT destination in the public policy, which means you are forwarding any GRE packets to 172.16.1.4.  I believe you want it configured like this:

                  ip policy-class Public

                  allow reverse list VPN-20-vpn-selectors stateless

                    allow list wizard-remote-access self

                  allow list web-acl-13 self

                    nat destination list web-acl-7 address 172.16.1.4 port 3389

                    nat destination list web-acl-8 address 172.16.1.3 port 3389

                    nat destination list web-acl-10 address 172.16.1.1 port 3389

                    nat destination list web-acl-11 address 172.16.1.2 port 3389

                   

                  Also, once your GRE tunnel comes up, you will just need a route for the 3 network.  Right now I see that route is "ip route 172.16.3.0 255.255.255.0 172.16.1.30" but if the 3 network is on the other side of the GRE tunnel then the route should be "ip route 172.16.3.0 255.255.255.0 172.16.0.2".

                   

                  If I am understanding your needs correctly, then I believe this change in your configuration should work.